NPC says Jollibee's data breach compromised personal data of 11 million customers
The data breach that struck Jollibee Foods Corporation (JFC) reportedly compromised personal data of about 11 million customers of all the restaurant brands under the restaurant conglomerate, according to the National Privacy Commission (NPC).
Rainier Anthony Milanes, chief of the NPC's compliance and monitoring division, said that JFC's breach notification report detailed that the leak is suspected to affect 11 million customers. The information leaked involved their date of birth and senior citizen ID number.
The data of JFC employees was possibly also compromised.
According to him, the breach hit the "data lake" of JFC where the personal data of customers of all the restaurant brands of the Jollibee Group was stored.
"When you say it's the data lake, all kinds of data are there, it could be structured or unstructured (data)," Milanes told the Philippine STAR in a Viber chat interview.
Keeping a data lake is a "management prerogative especially for private entities." JFC is also registered with the NPC as a personal information controller (PIC) and personal information processor (PIP), as mandated by the Data Privacy Act of 2012.
PIC refers to an entity that controls the collection, holding, processing or use of personal information while PIP is defined as an entity to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
Roren Marie Chin, chief of the NPC's public information and assistance division, meanwhile elaborated that other brands that have been affected by the data breach include Mang Inasal, Red Ribbon, Chowking, Greenwich, Burger King, Yoshinoya, and Panda Express.
"Jollibee Foods Corporation has requested an additional 20 days to complete its internal investigation," Chin said.
Other brands owned or controlled by the Jollibee Group are Panda Express, Common Man Roasters in the Philippines, Yonghe King, Hong Zhuang Yuan, Tim Ho Wan, Jollibee Hong Kong and Jollibee Macau in China, Smashburger, Jollibee North America, Red Ribbon and Chowking in North America, Milksha, and Coffee Bean and Tea Leaf.
The data breach was first reported by cybersecurity group Deep Web Konek on June 20, alleging that the hackers were selling the information of Jollibee's customers in forums.
PhilSTAR L!fe has also reached out to Jollibee for a statement on the matter. (with reports from Rainier Allan Ronda)